Joe Andrieu and the Information Sharing Working Group has put a lot of work and effort into creating a Standard set of Information Sharing Agreements represented by a standard label. They want to invest in user -research to make it really work.

I am putting in $100 and I encourage all of you to do the same. They need to raise $12000 in the next 8 days.

When Google+ launched, I went with my handle as my last name. This makes a ton of sense to me. If you asked most people what my last name is, they wouldn’t know. It isn’t “common” for me. Many people don’t even seem to know my first name. I can’t tell you how many times I have found myself talking with folks at conferences this past year and seeing ZERO lighbulbs going off when I say my name “Kaliya”, but when I say I have the handle or blog “Identity Woman” they are like “Oh wow! You’re Identity Woman… cool!” with a tone of recognition – because they know my work by that name.

One theory I have about why this works is because it is not obvious how you pronounce my name when you read it. And conversely, it isn’t obvious how you write my name when you hear it. So the handle that is a bit longer but everyone can say spell “Identity Woman” really serves me well professionally. It isn’t like some “easy to say and spell” google guy name like Chris Messina or Joseph Smarr or Eric Sachs or Andrew Nash. I don’t have the privilege of a name like that so I have this way around it.

So today…I get this

I have “violated” community standards when using a name I choose to express my identity – an identity that is known by almost all who meet me. I, until last October, had a business card for 5 years that just had Identity Woman across the top.

Display Name – To help fight spam and prevent fake profiles, use the name your friends, family, or co-workers usually call you. For example, if your full legal name is Charles Jones Jr. but you normally use Chuck Jones or Junior Jones, either of these would be acceptable. Learn more about your name and Google Profiles.

I was recently CCed in a tweet referencing this article “Why Real ID is a Really Bad Idea“about World of Warcraft implementing their version of a “Real ID” in a way that violated the trust of its users.

The woman writing the article is very clear on the identity “creep” that happened and got to the point of requiring users to use the Real ID account within the system to post on forums and EVEYWHERE they interacted on company websites.

She articulates clearly why this creates an unhealthy climate and a chilled atmosphere for many users.

“The High Court has given permission for an injunction to be served via social-networking site Twitter. The order is to be served against an unknown Twitter user who anonymously posts to the site using the same name as a right-wing political blogger. The order demands the anonymous Twitter user reveal their identity and stop posing as Donal Blaney, who blogs at a site called Blaney’s Blarney. The order says the Twitter user is breaching the copyright of Mr. Blaney. He told BBC News that the content being posted to Twitter in his name was ‘mildly objectionable.’ Mr. Blaney turned to Twitter to serve the injunction rather than go through the potentially lengthy process of contacting Twitter headquarters in California and asking it to deal with the matter. UK law states that an injunction does not have to be served in person and can be delivered by several different means including fax or e-mail.”

This year at SXSW I moderated a panel about OpenID, OAuth and data portability in the Enterprise. We had a community lunch after the panel, and walking back to the convention center, I had an insight about a key missing piece of software – Privileged Account Management (PAM) for the Social Web – how are companies managing multiple employees logging in to their official Twitter, Facebook and YouTube accounts?

I thought I should also explain some key things to help understand conventional PAM then get to social web PAM in this post covering:

regular identity management in the enterprise,

regular Privileged Account Management in the enterprise

Privileged Account Management for the Social Web.

1) IdM (Identity Management) in the Enterprise

There are two words you need to know to get IdM and the enterprise: “provisioning” and “termination“.

a) An employee is hired by a company. In order to login to the company’s computer systems to do their work (assuming they are a knowledge worker), they need to be provisioned with an “identity” that they can use to log in to the company systems.

b) When an employee leaves (retires, quits, laid off, fired), the company must terminate this identity in the computer systems so that the employee no longer has access to these systems.

The next thing to understand is logs.

So, an employee uses the company identity to do their work and the company keeps logs of what they do on company systems. This kind of logging is particularly important for things like accounting systems – it is used to audit and check that things are being accurately recorded, and who did what in these systems is monitored, thus addressing fraud with strong accountability.

I will write more about other key words to understand about IdM in the enterprise (authentication, authorization, roles, directories) but I will save these for another post.

2) Ok, so what is Privileged Account Management in the Enterprise?

A privileged account is an “über”-account that has special privileges. It is the root account on a UNIX system, a Windows Administrator account, the owner of a database or router access. These kinds of accounts are required for the systems to function, are used for day-to-day maintenance of systems and can be vital in emergency access scenarios.

They are not “owned” by one person, but are instead co-managed by several administrators. Failure to control access to privileged accounts, knowing who is using the account and when, has led to some of the massive frauds that have occurred in financial systems. Because of this, the auditing of logs of these accounts are now part of compliance mandates in

Sarbanes-Oxley

the Payment Card Industry Data Security Standard (PCI DSS),

the Federal Energy Regulatory Commission (FERC),

HIPAA.

Privileged Account Management (PAM) tools help enterprises keep track of who is logged into a privileged account at any given time and produce access logs. One way this software works is: an administrator logs in to the PAM software, and it then logs in to the privileged account they want access to. The privileged account management product grants privileged user access to privileged accounts [1].

There are two companies offering a service to parents WQN and Aegis Mobility – there is software and then a monthly fee. Then services track the kids and turn of their phones in certain locations.

WQN’s surveillance service promises more than just disabling the phone in cars. It can monitor a person’s whereabouts, notifying parents by text messaging when their children step out of designated zones or return home. It also can turn off a cell phone at school, preventing cheating by text messaging during classroom tests, based on a reading of the school’s location.

The question parents would have to ask themselves is whether they’d want to prohibit their children’s activities this way. That kid you’re trying to control might not be driving, but rather sitting on a train or a city bus or in the passenger seat of a buddy’s car.

It seems a whole set of technology tools that are part of enabling over parenting. sigh.

Recently a report from a know tech publication was at a conference I was leading. She asked me
“what is interesting that is happening right now.”
I said “the nonprofit technology session.”
She said – “well I cover business issues.”
I shared with her that one of the largest vendor of nonprofit technology Kintera was a publicly traded company AND that there was big business opportunities for providing technology solutions in that sector. She looked at me surprised as if it had never occurred to her that you could make money in this sector. Recently the two other large vendors in the space merged – Get Active and Convio. They became just Convio and are now the largest vendor in the sector.

It is incumbent on all software vendors serving the nonprofit sector to open opportunities for nonprofits to have greater choice and flexibility in pursuing their missions.

To meet the expectations of nonprofits today — and five years from now — software vendors need to facilitate interoperability between systems and enable integration between offline and online data and the new Web. And they should do so with one clear purpose in mind: to open the possibilities for nonprofits to find and engage constituents to support their missions.

The NTEN community has been leading the charge for openness. With Salesforce and Facebook, Convio has embraced openness as a way of doing business.

Software vendors should:

1. provide nonprofit organizations of all sizes and in any stage of Internet adoption the flexibility to integrate with other web or database applications to exchange constituent and campaign data.
2. make their Open APIs available to clients, partners, and a broad developer community.
3. expose Open APIs as part of their core product functionality.
4. proactively use APIs provided by other companies in additional to providing their own.
5. make their API documentation publicly available and provide a forum for sharing and discussing best practices and exchanging code examples.
6. publish a roadmap for their API development and encourage participation in the development of that roadmap.
7. make their APIs accessible to nonprofits at a level that does not require extensive technical expertise to leverage those APIs.

Some of you may know that I have roots in a community called Planetwork that has had an interest in ‘alternative’ currency and the role that digital identity could play a role in a emergent currency systems.

So, today my interest was peaked by this e-mail from Biz Stone at Twitter talking about an interesting new application being built on twitter.

Do You Owe Someone A Beer?

Foamee.com is a fun IOU system built on Twitter that helps you track who you owe beers to (and vice versa). All you have to do is follow the account “ioubeer” and then send it @replies. So, say you owe me a beer for helping you change a flat tire, this is what you’d send to Twitter:

@ioubeer @biz for helping me change that flat tire

Then, your IOU will show up on the front page at foamee.com. There’s even a way to tell it when that beer has been redeemed. I think a root beer version is in the works. Maybe even a latte version? Those are foamy too. Dan Cederholm of SimpleBits design is the mastermind behind this fanciful creation. We think it’s really cool. Thanks Dan, we owe you a frosty one!

So, I got a shiny new iPhone (for facilitating office 2.0’s Unconference) but I can’t get it to work yet.

I have MetroPCS – the ‘ghetto phone’ for those of you who don’t know it works like this – you buy the handset, you pay them your monthly fee on time or they turn your phone off. You have unlimited local and long distance calling. SIMPLE. No bill’s, no rolling min, just a phone that works. The catch – your phone only works in your metro area. This is why I have another number (from T-Mobile) that I pay by the min for when I travel to different cities.

So I went to sign up for the new iPhone via my computer. It won’t just let me get an account. I have to get ‘pre-approved’ credit from an AT&T store. To be honest I have not done a lot to get ‘credit’ so I am not surprised. I don’t have a credit card. I don’t have a loan for a car or anything.

My husband and I went to the AT&T store so that I could piggy back on his account/credit and get a phone activated. I decided I would try and port my number. They want to know not only my phone number but my ‘account number’ (remember I have the ghetto phone plan – no bills no nothing that I see an ‘account number’ on). They also want to know my address in their records AND my name. I have this feeling that when I got this phone 4 years ago that I had a different address and I was still going by my maiden name. These things are all not ‘persistent’ I am not sure what their records say and if I don’t know I must not be me right?

All I knew and all they put in their system was my phone number. I get this phone call from them asking me to call them back and give them more information so they can port my number for me.

I am thinking it is all to much trouble and I should get a Grand Central number and a new number from them and tell everyone my grand central number.

Anyone have any thoughts on their service to date or making this kind of choice. With Google acquiring them they are not going to go out of business any time soon.

New York City is seeking funding for a multi-million dollar surveillance system modeled on the one used in London. Police in the city already make use of the network of cameras in airports, banks, department stores and corporate offices — an arrangement used in cities across the country. This new project would augment that network with a city-wide grid. ‘The system has four components: license plate readers, surveillance cameras, a coordination center, and roadblocks that can swing into action when needed. The primary purpose of the system is deterrence, and then an investigative tool.’ But is it necessary? Steven Swain from the London Metropolitan Police states ‘I don’t know of a single incident where CCTV has actually been used to spot, apprehend or detain offenders in the act. Asked about their role in possibly stopping acts of terror, he said pointedly: “The presence of CCTV is irrelevant for those who want to sacrifice their lives to carry out a terrorist act.”

The implementation of the plan, called the Lower Manhattan Security Initiative, will require about $90 million, New York City Police Commissioner Ray Kelly said. It will cost about $8 million a year to maintain.

The city so far has raised about $25 million. Part of it has come from the Homeland Security Department and the rest from city coffers.

Donna Lieberman, the executive director of the New York Civil Liberties Union, said she was alarmed by the prospect of government and law enforcement officials having records of a person’s daily activities.

“It wasn’t that long ago that J. Edgar Hoover was up to his dirty tricks using government spying to interfere with lawful dissent, undermine critics and pursue an unlawful agenda,” she said.

However, police officials repeatedly note there is no expectation of privacy in a public area and it is not a constitutional right.

I am down here at Mashup Camp that I am facilitating tomorrow and the next day. At the social hour around the pool I ran in to Joseph Smarr and got the scoop.

“We’re releasing full OpenID relying-party support, so you’ll be able to sign up for a Plaxo account using an OpenID and/or attach OpenIDs to your existing Plaxo account. I’m also publishing a step-by-step implementation guide for OpenID-enabling existing sites based on the work I did for Plaxo.”

it would seem that “user-centric” identity is about creating an “agent-in-the-middle” architecture for identity systems. An agent (usually automated) for the user sits in the middle of the identity flow, analyzing the flow request and determining how to handle the response. The determination would be based on policies defined by the user. It may require the agent to bring the user in for an explicit approval, or it may automatically approve or reject the flow based on previous user preferences (similar to the user checking the box that says “do not ask me again”). It may also apply a configured rule or policy to the identity flow that determines the action to take – ask user, approve, reject.

So who were these agents? One was WiMoto – when I fist talking to Scott Redmond he was explaining his tool…and I just didn’t like it..about advertising on my phone etc…THEN all of a sudden I ‘got it’ – I said “oh this is cool you have a user-agent.” I explained what it was from our ‘user-centric identity’ perspective. He was like sure I guess what is that we have. I met him early in the evening of a cocktail party where he would be demoing throughout. At the end he said he was eternally indebted to me for giving him that word “user-agent”. Apparently it let him communicate effectively to the other folks all night. It is now on the front page of their website. I still don’t get exactly how it works though.

The second user-agent I found was MyStrands – it is a mobile social networking app for night clubs. So you can text to the screen when you are in shared space together (like at the night club). It also lets you opt in to get information about the bands and clubs. So it is a promotion network. They look like their are going some where!

I got an invitation to SpokeIn touch yesterday. This is “the open network for business people” What I didn’t get was how it was any different then any other ‘stay in touch’ thing like Plaxo (which I don’t use). In fact I am not going to use anything in this genre until they are using open standards that interoperate with other systems. Below the fold is the actual e-mail if you want to dive into it. And no I don’t want to sprinkle the world with my hCards. Please consider building the equivalent using XRI/XDI. It also strikes me that one would need to trust the service one is sharing all this information with. I have no basis for trusting them right now – who has had a good experience with them?[Read more…]

I went through TechCrunch today as I do on a weekly basis to check out what is new in web2 land. Lots of kids building interesting things but I kind of think mmmm…to a lot of them. Also lots of acquisition rumors. By the end of it I wondered why me? Why this industry almost completely devoid of meaning in a particular way.

Certain kinds of databases are going to become really big and really useful. we are just in the early stages where for example digital identity doesn’t really work yet but that world start to coalesce, where all these different sources of identity will start to be resolved and connect to each other. And we’ll have a rich identity system you could call Who 2.0.

Just like you are starting to see Where 2.0 in the way that mapping is starting together…so you think about the various dimensions of the data that we interact with who, where what, when, why and how are a little bit harder but the more pragmatic dimensions will be come part of this new data oriented operating system that we are building.

“I’ve noticed that whenever I have a photo on Flickr that I want to embed in my blog, I make a local copy and link to that. Flickr may well out-last the Fishbowl, but at least the continuing availability of my webserver is something that I have a say in.” — Me, a few minutes ago.

I registered the pastiche.org domain back in 1997. Since then I’ve been through a half dozen or more ISPs and hosting services, but I’ve done so secure in the knowledge that so long as I keep paying my domain renewal fees, my email address, website and whatever other Internet perks I feel like having will follow me wherever I go.

(There are disadvantages, of course. Even for a non-entity such as myself, eight years of being careless with the one email address leads to a lot of spam.)

I had this conversation with a friend, and they told me not to worry: Gmail is likely to survive longer than I’m going to need an email address anyway. But that’s not the point. In five years, Gmail is going to be what Hotmail is today, and there will be another service that’s cooler and more capable that people will rather be keeping their email in.

“Letting somebody else own your name means that they own your destiny on the Internet…. As soon as you realize you’re serious about blogging, move it away from a domain name that’s controlled by somebody else. The longer you delay, the more pain you’ll feel when you finally make the move.” — Jakob Nielsen’s Weblog Usability mistakes, #10.

Recently, Australian politician Malcolm Turnbull proposed that the government give each citizen a lifetime email address. There were obvious flaws: the proposed address scheme — first name, surname, date of birth — consists of two pieces of data that can change, and one that people often want to conceal. Regardless, the underlying concept of a permanent ‘digital identity’ is an important one. After all, cool URIs don’t change.

If there’s a Web 3.0, it’s not going to be about giving you cool sites to put your stuff on “out there”, but about giving you the tools to build that cool stuff on top of your own persistent, personal space on the net… in a way that when the services change, the technology advances and the trends turn, the stuff stays where it is.

Reading SlashDot I found this article about the Open Phone coming out with a Linux operating system. The left lots of room for folks to write apps to run on top of it. It sounds like a great platform for some identity applications and UI experimentation. Maybe we can have a session at IIW regarding its potential.

On another note I went to ‘digg’ it and it asked me to login….I don’t want another name and password thankyou!

So, right now they only way to verify that I own an account online “that I am who I am” is giving a third party the login to my account.

I want myAPI a secondary login for making assertions of ownership of an account as well as access to data in that account – like the books that I have bought, my linked in contacts, my budy list etc..

We need standard ways to access (via MyAPI) and share this information (putting information in standards formats (xri perhaps?) so that it can be integrated and aggregated by me and services that I want to use).

MyAPI has a different password then my ‘primary’ account and perhaps there are a few different levels of privileges.

This story is an interesting one because it shows what a citizenry empowered with almost omni-present communication tools can do to share information and build a coherent picture of one person’s movement over time creating the participatory panopticon. I wonder how much citizen surveillance of government officials and their actions will become the norm. Here is the original Gawker page – where all the intelligence was gathered.

Our democracy depends on honest leaders who promote transparency and accountability in the management of our resources. How do we protect such leaders from being terrorized by corrupt special interests that play dirty?

The only way is with real accountability of the action of government officials and transparency of where money and rescues flow.

Just in case Condi was wondering if her help would be needed. This disaster is WAS NOT UNPREDICTABLE – in-fact it was anticipated and she would likely be needed in her role as secretary of state to get help from other countries.

On Thursday, September 1 on Good Morning America George W. Bush said, â€œI donâ€™t think anyone anticipated the breach of the levees.â€ This is a flat, baldfaced lie. In early 2001 the Federal Emergency Management Agency (FEMA) identified the three most likely megadisasters that would strain the countryâ€™s ability to respond: a terrorist attack in New York City, an earthquake in Southern California, and a hurricane hitting New Orleans. The levees in New Orleans have been breached before. The Mississippi River flood of 1927 did so. Every disaster planning exercise involving New Orleans has assumed that part of the tragedy would be breached levees, a flooded city, and human beings trapped with no food, water, or sanitary facilities. A few minutes of searching the Internet will turn up literally dozens of studies showing that a hurricane of category 3 or more hitting the lower Mississippi would breach the flood protection levees. Breached levees were no surprise and to say that they were is a lie

Ms. Rice should have been on the phone to countries who’s help we could well use not to cope with the situation faced by the south. This references the letter from my last post.

The Mississippi Delta region is the natural ecological home of a long list of infectious microbial diseases. It is Americaâ€™s tropical region, more akin ecologically to Haiti or parts of Africa than to Boston or Los Angeles. The most massive Yellow Fever epidemics in the Americas all swept, in the 19th Century, up the Mississippi from the delta region.

It is perhaps ironic that the only real experience with this scale of insect control for the last two decades has been in developing countries: the CDC and State health folks should be reaching out to PAHO and the insect control expertises of Africa and the Caribbean right now. If we cannot manage to get ahead of the insects, there could very well be a disease crisis ahead.

Can open sourceintelligence and societal information sharing help us as a society get around the need to have ‘government officials’ who are responsible but instead give us the power collectively organize ourselves.

The first day of OSCON05 was great.
I had a meeting with a potential client for Integrative Activism in the morning went to downtown and picked up more business cards and headed to the Airport.

I had an identity ‘incident’ after making it through security. I went to add minutes to my phone and some how got popped out to a personal operated. She REQUIRED the last four digits of my SSN so they could ‘verify’ my identity by pulling information for the cloud to determine I am me. They would have the service that does this call me within the hour to ask me questions. This happened the last time I went to put money on this phone. It is quite disconcerting. Luckly this time I canceled the order and managed to make it through just ‘touch’ tone and get it minuets on my phone.